(Working) Windows Hello for Business Yubikey Login

(Working) Windows Hello for Business Yubikey Login

May 8, 2020Patrick Grubbs

Windows Hello is one of the easiest ways to add biometric security to your authentication protocols, and if you’re already using other common components of the Microsoft ecosystem for authentication (AD or Azure AD), integration is a cinch.

One of the most useful features of Windows Hello is the ability to use FIDO2 security keys, such as the Yubikey, in addition to (or as a replacement for) the primary device’s biometric hardware. It’s particularly useful in situations where devices don’t have an inbuilt biometric scanner – such as is the case in most managed device deployments.

Unfortunately, there’s two big problems with the current state of the Yubikey-Windows Hello solution. The first is that only the Yubikey 4 series keys are compatible, not the vastly superior series 5.

However, Windows Hello does still support FIDO2. And, in our capacity as an official Yubico Partner, SecureW2 has developed a solution for enrolling Yubikey 5 series keys for digital certificates. So, yes, it’s still possible to use Yubikeys to access Windows Hello (and Windows Hello for Business) with our solution – and our implementation comes with some significant upgrades.

Advantages of using Certificates on Yubikeys

PIV-Backed security keys like the Yubikey are an excellent tool for hardening your security because they offer an additional factor of authentication – “something you have”.

Passwords and PINs are another form of authentication – “something you know”. Since a Yubikey uses both a PIN and the physical authentication token, it has two factors of authentication, making it 2FA in and of itself.

Adding digital certificates to a Yubikey with our software adds the third and final factor of authentication – “something you are”. A digital certificate is like a photo ID: it’s tied to the identity of the user or device and can’t be transferred. It also doesn’t add any burden to the end user like a password does, preserving the user experience.

Having all three factors of authentication on a Yubikey make it a supremely secure MFA tool. Limiting network access to those with a properly configured security key makes your network virtually impenetrable.

PIV vs FIDO2 Authentication

FIDO2, on the other hand, requires you to configure your security key with each application individually. This is an especially terrible user experience when a security key gets lost, as the user has to individually set up every application all over again.

Using certificates with security keys negates all of these issues, while allowing the security key to be used for various other applications that FIDO2 doesn’t support, like VPN or Wi-Fi authentication.

There is a downside to using PIV-backed certificate authentication with a security key: it’s not easy to enroll and install a certificate. Yubikey does support digital certificate enrollment, but it needs to be done manually via command line for each security key. That’s a huge burden on IT, and it’s not just an upfront cost. Each key would need to be reconfigured individually to reflect changes in ownership, network access policy, etc.

Our Yubikey solution allows end users to easily self-enroll and configure their security keys for certificates. It also enables admins to set up group policies to manage user access and dynamically segment network resources. Certificate management is easily handled through our intuitive management portal.

Our management portal also supports security key attestation, as our software client can attest to the location a private key has been generated on a security key, or any other device with a TPM.

These same certificates can be enrolled to existing credentials, as SecureW2 integrates with any Identity Provider (Azure AD, Okta, G-Suite, etc.) so you can ensure that only your users have access to your critical applications.

Yubikey 5 Windows Hello for Business Login Configuration

Configuring your Yubikey for Windows Hello for Business authentication is also a breeze. You just have to push the configuration payload to each device, then have the user run Windows Hello normally. They will be prompted to enter a PIN, after which their inserted Yubikey will be enrolled for a certificate automatically.

Future login attempts will require a PIN or biometric authentication for the Yubikey, whichever the user sets up. In the background, however, it will also authenticate the certificate without hassling the user for more input.

This solution is ideal for enterprises and large organizations that have issued Yubikeys to their employees for secure access to email, web apps, and other services. It allows you to more fully integrate your Microsoft ecosystem with your network security. Issuing certificates to your Yubikeys with our platform also opens up other Yubikey integrations – Wi-Fi, desktop login, and VPN to name a few.

Related Posts

One of the features of new Yubikeys is that they can perform “attestation”, which gives them the potential to be even more powerful in terms of protecting your data. In coordination with Yubico, SecureW2 has improved on the native attestation …

Yubikeys are an incredibly secure method of protecting yourself from data theft, but you’re probably not using them to their full potential. Natively, Yubikeys only support credential-based authentication through keypairs and one-time passwords. However, SecureW2 has developed an industry-first solution …

Security keys are useful tools for hardening your devices with an additional factor of authentication. Did you know that same protection can be extended to your network? SecureW2, a Yubico Partner, has developed an industry-first software solution that allows you …